CCNA Security Certification Tutorial:
IP Spoofing And RFC 3704 / 2827 Filtering
Chris Bryant, CCIE #12933
ISDN is long gone from Cisco certification exams, but there's a term from the ISDN days that you need to know for your CCNA Security exam ... "spoofing".
When two routers communicate via ISDN, one router is basically making a phone call to another. Obviously, we can't have that call in place all the time or we're going to get a really big phone bill!
Instead, we'd allow the ISDN line to show as "spoofed", so the connecting network would appear in the routing tables but the actual phone call would not be in place.
We don't have to concern ourselves with ISDN spoofing for these exams, but for these exams *and* real-world network security, we have to be familiar with IP spoofing.
Simply put, when a network intruder uses the IP address of a trusted device in order to gain access to your network, that's IP Spoofing.
IP Spoofing can be used against your network in several ways:
Injecting a stream of malicious code and/or commands into your network
To trick legitimate network hosts into sending sensitive data to the attacker
As part of a reconnaissance attack , an attack that in itself may not be damaging, but is used to gather information for future, more destructive attacks.
One simple and powerful step we can take to stop these attacks is preventing IP packets with certain IP source addresses from being admitted to our network in the first place.
Think about it - if a packet arrives on your network's outside router with a source IP address of 0.0.0.0, is it likely from a legitimate source?
So what other source IP addresses should we be concerned about?
Two RFCs define these suspect addresses. The original is RFC 2827, and the updated version is RFC 3704. The latter recommends that you prohibit packets with source IP addresses from the following ranges from entering your network -- and some of these ranges should look familiar!
10.0.0.0 /8 (RFC 1918 Class A private range)
127.0.0.0 /8 (loopback address range)
172.16.0.0 /12 (RFC 1918 Class B private range)
192.168.0.0 /16 (RFC 1918 Class C private range)
18.104.22.168 /4 (reserved for IP multicasts)
240.0.0.0 /4 (RFC 1918 Class E private range)
Blocking these address ranges for incoming traffic on your network's perimeter routers is sometimes called "2827 filtering" or "3704 filtering", referring to the original and updated RFCs that discuss this topic in a great deal of detail.
You can also use a combination of encryption techniques such as IPSec, one-time-only passwords, and access lists to defend against spoofing attacks. The combination you use really depends on your network, but in any case I would use RFC 3704 filtering.
If you place your router into "one-step lockdown", packets sourced from any of these ranges are blocked.
Of course, not all harmful packets will be source from these ranges - but blocking these ranges is an excellent step in the right direction!
Celebrate our 10th Anniversary with this unbeatable deal:
Earn your CCNA Security certification for just $10!